Skip to main content

Posts

Showing posts from October, 2007

Windows Forensics and Incident Recovery

Windows Forensics and Incident Recovery Notes Windows Event Log -clearing the Security Event Log generates event ID 517 -Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia" -Logon events http://support.microsoft.com/default.aspx?kbid=174073 -Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714 -More security Events http://support.microsoft.com/kb/174074/ CMD Line History - doskey /history or the RunMRU registry key File Associations - C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile - ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command - if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change ba